Malware served from NY Times Website

I’ve gotten two calls from clients (OK, one was a client, the other my mother-in-law) saying they visited the NYTimes website and were attacked by malware.

This is true, they were. My MIL said she was trying to read Maureen Dowd and got hit with a rogue anti-spyware application. I was able to CoPilot in and clean things up. (There didn’t seem much to clean up, I killed a running process of IE (she uses Chrome) and the scare-screen went away.

I sparked up an unpatchedWinXP Virtual Machine running IE6 and went to the NYT website, and was prompted immediately to install flash. I opted not to and surfed around the site, fighting the information bar’s insistence that I install an ActiveX Control.

So, I gave in and voila!

protection-check07.com dialog

So, no matter how you answer, you’re already stung.

Of course, your instinct is to click “Cancel” and you do, and then you’re scared out of your wits when confronted with this page from protection-check07.com (don’t go there!) and proceeds to make you think you’re infected.

protection-check07.com demo

But, if we take a second to look at the scare box, we see something is amiss…

Local Drive

We don’t have an E: drive … and the optical drive we have is a CD-Rom, not a DVD-RAM drive…

My Computer

The page that pops up is meant to scare you. The infections it reports are false — the only infection you have (at the moment) is the webpage. If you go into taskmanager and find iexplorer.exe (or firefox.exe if you use Mozilla Firefox) and right-click on it and choose “End Process” that should make the pop-up go away.

If you click ANYWHERE on the page, it will prompt you to download a program:

Malware Downloader

Seems reasonable — you got a warning you were infected, and you want to download a file called “Scanner-75f_2015.exe” seems legit.

IT’S NOT.

(But you knew that by now, right?)

However, this is a clear indication of how a fully patched system gets compromised. Some buys ad space on a major website. They probably serve a lot of legit ads, but in a few instances, they serve illegitmate ads. In this case, they seem to be using Flash as an attack vector. Flash movie loads and redirects your browser to a rogue site, and they’re off to the races.

Since I’m a professional, I downloaded the file — I didn’t run it — and I submitted it to http://virscan.org an online file scanner which tests a file against 37 of the leading anti-virus vendors.

Somewhat sadly, only 5 out of 37 scanners picked this up as malware:

Malware Results

I also ran the file thru VirusTotal.com which tests against 41 scanners, and 7 scanners turned up a positive on our file:

VirusTotal.com Results

You can see the full report over on VirusTotal’s site: http://www.virustotal.com/analisis/7bda9187e26b5a185501874b201731f12e3604c078408500abda83c35ef2fbe1-1252857630

The one thing that surprised me on the results was Microsoft’s detection, trumping McAfee, Symantec, AVG and Clam-AV among many others. I’ve never considered MS a true player in the anti-malware landscape, but perhaps I will re-evaluate.

Kaspersky, and most othersecurity vendors, offers an online scan of your system (requires Java). If you don’t have an anti-virus product installed — or even if you do — you might want to visit a different security vendor site than the one you have to do a check. Belt and suspenders and all that.

(This piece of spyware also eluded my trustyMalwarebytes Anti-Malware (www.malwarebytes.org) which should reinforce that no one piece of software can provide 100% protection.

There is no strong defense for this, as nothing you overtly do can cause it. Make sure your anti-virus is up to date, do regular scans of your computer — but MOST importantly –keep backups.

As for the clients, one of them uses Norton GoBACK (since superceded in the marketplace by Ghost 14) , so they restored their machine back an hour before the infection occurred, went back to the NY Times site, got re-infected, restored AGAIN using GoBack, and then stayed away from the NY Times site. And my Mother-in-Law has been trained well and as soon as the box popped up, she called me and I was able to CoPilot into her machine and close IE before it did any damage… may you all be as lucky.

Further Info:

http://ask.metafilter.com/132707/nytimes-spyware

http://discussions.apple.com/thread.jspa?messageID=10197120&tstart=0

http://forums.mozillazine.org/viewtopic.php?f=38&t=1481195

[UPDATE: 1:30 PM, Sunday Sept 13 – the NY Times site seems to have stopped serving the ad. Further attempts to get infected have proven unsuccessful.]

Don’t Overlook Scheduled Tasks / AT when cleaning malware…

One of our clients picked up some sort of infection over the weekend. The sucker was persistent, and after running the usual battery of utilities — RootkitRevealer, SDFix, ComboFix, Stinger running inside a WinXP PE shell — we got rid of the thing.

When I checked the post-infection System Event Viewer log, however, I got an interesting message:

Event Type:Error
Event Source:Schedule
Event Category:None
Event ID:7901
Date:1/31/2009
Time:9:00:00 PM
User:N/A
Computer:XXX03
Description:
The At46.job command failed to start due to the following error:
The system cannot find the file specified.

Huh? At46.job? I know the machine doesn’t use the AT scheduler… let’s see…

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\administrator\>at
Status ID Day Time Command Line
-------------------------------------------------------------------------------
 1 Each M T W Th F S Su 12:26 AM C:\WINDOWS\system32\Hi3TR1uq.exe
 10 Each M T W Th F S Su 9:00 AM C:\WINDOWS\system32\Hi3TR1uq.exe
 11 Each M T W Th F S Su 10:00 AM C:\WINDOWS\system32\Hi3TR1uq.exe
 12 Each M T W Th F S Su 11:00 AM C:\WINDOWS\system32\Hi3TR1uq.exe
 13 Each M T W Th F S Su 12:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 14 Each M T W Th F S Su 1:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 15 Each M T W Th F S Su 2:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 16 Each M T W Th F S Su 3:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 17 Each M T W Th F S Su 4:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 18 Each M T W Th F S Su 5:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 19 Each M T W Th F S Su 6:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 2 Each M T W Th F S Su 1:00 AM C:\WINDOWS\system32\Hi3TR1uq.exe
 20 Each M T W Th F S Su 7:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 21 Each M T W Th F S Su 8:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
Error 22 Each M T W Th F S Su 9:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe

And so forth, with hourly jobs listed down thru job 72. (It kept adding duplicate schedules…)tasksched

You can see we got the infection eradicated before 9 PM, because the 9PM AT job show errors. 🙂

For those of you who prefer a GUI, you can see the same thing in the Scheduled Tasks pane in Control Panel

So, don’t overlook the AT scheduler as a place where infection might hide in an effort to replicate itself. This is the first time I’ve seen it there, and it will be a place I look at from here out…

How To Clean Up After a SQL Injection Attack

NEW AND IMPROVED UPDATE: Cleaning Up After a SQL Injection Attack, Part 2

[UPDATE: Added code to deal with replacing text in the ntext fields of SQL Server 2000.]

One of our clients got hit with a web attack a week or so ago. We’re still not quite sure how this particular attack was carried out — we’re thinking an unpatched web server at the hosting facility — but it did cause me to look at the log file of the web site to see who might have been able to overwrite index.htm in the root directory. (The FTP logs held the clue — a rogue in Asia who cracked the password.)

As I said, it turned up nothing, but I did see a series of SQL Injection attacks — none of which were successful (always check your variables, kids!) — but they piqued my interest, so I took it apart. Continue reading How To Clean Up After a SQL Injection Attack